Presentation is loading. Please wait.

Presentation is loading. Please wait.

802.11 User Fingerprinting MobiCom 2007 (Sept 9-14 2007 Montreal, Quebec, Canada)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "802.11 User Fingerprinting MobiCom 2007 (Sept 9-14 2007 Montreal, Quebec, Canada)"— Presentation transcript:

1 802.11 User Fingerprinting MobiCom 2007 (Sept 9-14 2007 Montreal, Quebec, Canada)

2 Authors Jeffery Pang Ben Greenstein Ramakrishna Gummadi Srinivasan Seshan David Wetherall  Carnegie Mellon  Intel Research  U of Southern California  Carnegie Mellon  U of Washington

3 Problem Statement The best practices for securing 802.11 networks, embodied in the 802.11i standard, provide user authentication, service authentication, data confidentiality, and data integrity. However, they do not provide anonymity, a property essential to prevent location tracking.

4 Objectives Demonstrate that existing user identification and tracking countermeasures are ineffective Highlight four previously unrecognized unique traffic identifiers (implicit identifiers) Present an automated procedure to uniquely identify wireless users

5 Problem In Detail The Implicit Identifier Problem ◦SSID Broadcast with identifiable names  “MIT” or “UniversityofWashington” ◦Traffic Patterns  Periodic IMAP or SMTP connections to an identifiable mail server  Unique repetitive packet/frame sizes ◦Design Flaws/Implementation Variances  Fingerprinting higher layers in the stack (nmap/p0f)  Timing Characteristics

6 WiGLE.net Implicit Identifiers map to physical locations Map SSID’s from captures to a 1 block radius

7 Related Work Location Privacy ◦RFID devices ◦GPS enabled devices Identity Hiding ◦Using pseudonyms to mask MAC addresses (Gruteser, Jiang, Stajano) Implicit Identifiers ◦Fingerprinting 802.11 driver timings (Franklin, Kohno) ◦Clickprints (Padmanabhan and Yang)

8 The Test Bed The Adversary ◦Passive monitoring (weak adversary) ◦Using TCPDUMP only The Environment ◦Large and small wireless networks evaluated  2004 SIGCOMM Conference (4 days)  U.C. San Diego CS Building (1 day)  Apartment Building (19 days) ◦Encrypted (WEP/WPA) and Unencrypted Monitoring Scenario ◦Assume pseudonyms are randomly chosen every hour

9 Captured Traffic Statistics Training sigcomm – 1 day uscd – 4 hours apt – 5 days NOTE: Profiled users are those users who were present in both the training set and the validation data.

10 Evaluation Criteria Q1) Did this traffic sample come from user U? ◦Measuring the effectiveness of the classification model ◦User distinctiveness Q2) Was user U here today? ◦Can the presence of user U be detected during a particular 8 hour period?

11 Traffic Characteristics/Identifiers Network Destinations (netdests) ◦Set of IP pairs SSID Probes (ssids) ◦SSID discovery probes typical of Windows XP ◦Preferred networks list Broadcast Packet Sizes (bcast) ◦Set of pairs (or just size if encrypted) MAC Protocol Fields (fields) ◦More fragments, retry, power management, order, authentication algorithm offered, supported transmission rates

12 Identifiers [ssids] [netdests] [bcast] [frame]

13 Classification Model Naïve Bayes Classifier From Bayes’ Theorem: C = class (or U user) F i = implicit identifiers n = 4 in this case

14 Classification Model Feature Generation To compute probabilities implicit identifiers must be converted to real valued feature ◦[fields] – each field combination represents a different value ◦[ssids, bcast, netdests] – set of discrete elements  Weighted version of Jaccard similarity index to determine real-valued feature

15 Classifier Accuracy Accuracy measured by two components ◦True Positive Rate (TPR)  Fraction of validation samples that user U generates the are correctly classified ◦False Positive Rate (FPR)  Fraction of validation samples that user U does not generate that are incorrectly classified

16 Classifier Accuracy Metrics Mean True Positive Rate for a failure rate of 1/100 and 1/10 respectively Complementary cumulative distribution function (CCDF) on sigcomm users (c) FPR =.01 (d) FPR =.1 Mean achieved TPR and FPR for sigcomm users x=y line -> random guessing Max expected TPR

17 Tracking How accurately can the evaluation criteria be answered (Q1, Q2)? Constraints: ◦Public Network: [netdest, ssids, fields, bcast] ◦Home Network: [ssids, fields, bcast] ◦Enterprise Network: [ssids, bcast]

18 Tracking Testing the Classifier Classification accuracy using ‘Public, Home, Enterprise’ constraints Complementary cumulative distribution function (CCDF) FPR =.01 % of users that FPR errors that are less than.01 away from target FPR of 0.01 In all scenarios the classifier is able to identify unique users with 90%+ accuracy

19 Results 90% Accuracy Adversary Detected Users Active Users in a single hour Median active/hours needed to be detected Min/Max sampled needed The number of users that can be accurately identified is between 50% and 83%

20 Results 99% Accuracy The number of users that can be accurately identified is still significant

21 Conclusions Majority of users can be detected with 90% accuracy in public networks with less than 100 concurrent users ◦27% are detectable in all networks with less than 25 concurrent users. ◦Even in large networks 12-52% are detectable Some users can be detected with 99% accuracy ◦12-37% in all networks with 25 users or less.

22 Summary of Findings Ability to identify user’s is not uniform ◦Some users do not display any characteristics that distinguish themselves ◦Majority of users can be tracked with 90% accuracy even when unique names/addresses are removed Any one implicit identifier can be highly discriminating ◦An adversary may only 1-3 samples of user’s traffic to track them on average Research assumptions serve to place a lower bound on the findings ◦Advanced adversary may have a significantly higher percentage of accuracy Applying existing best practices will fail to protect the anonymity of a non-trivial fraction of users ◦Pseudonyms alone are not enough to provide location privacy

23 Next Steps Similar Research ◦Dijiang Huang, “Traffic analysis-based unlinkability measure for IEEE 802.11b-based communication systems”. 5th ACM workshop on Wireless security, 2006. ◦Y. Zhu, R. Bettati, ”Compromising Privacy in Wireless Network Using Cheap Sensors”. Texax A&M University Tech Report, 2005 Transmission Power Fluctuation ◦ J. Cai, H. You, B. Lu, U. Pooch, and L. Mi, “Whisper c a lightweight anonymous communication mechanism in wireless ad-hoc networks,” in Proc. of International Conference on Wireless Networks(ICWN 05), (Las Vegas, Nevada), june 2005. Pseudonyms ◦M. Gruteser and D. Grunwald, “Enhancing location privacy in wireless lan through disposable interfaceidentifiers: a quantitative analysis.,” in WMASH, pp. 46–55, 2003. RSS ◦A. M. Ladd, K. E. Bekris, A. Rudys, G. Marceau, L. E. Kavraki, and D. S. Wallach, “Robotics-basedlocation sensing using wireless Ethernet,” in Proceedings of the Eighth ACM International Conferenceon Mobile Computing and Networking (MOBICOM), (Atlanta, GA), Sept. 2002. Angle of Arrival ◦D. Niculescu and B. Nath, “Vor base stations for indoor 802.11 positioning,” in MobiCom ’04: Pro-ceedings of the 10th annual international conference on Mobile computing and networking, (NewYork, NY, USA), pp. 58–69, ACM Press, 2004. ◦D. Niculescu and B. R. Badrinath, “Ad hoc positioning system (aps) using aoa.,” in INFOCOM, 2003. Time of Arrival ◦R. J. I. Guvenc, C. T. Abdallah and O. Dedeoglu, “Enhancements to rss based indoor tracking systemsusing kalman filters,” in GSPx & International Signal Processing Conference, (Dallas, TX), 2003

Download ppt "802.11 User Fingerprinting MobiCom 2007 (Sept 9-14 2007 Montreal, Quebec, Canada)"

Similar presentations

Our Wireless World Our Wireless World

Our Wireless World Our Wireless World
Security in Wireless Networks Juan Camilo Quintero D. 1041718.

Security in Wireless Networks Juan Camilo Quintero D
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.
Delay and Throughput in Random Access Wireless Mesh Networks Nabhendra Bisnik, Alhussein Abouzeid ECSE Department Rensselaer Polytechnic Institute (RPI)

Delay and Throughput in Random Access Wireless Mesh Networks Nabhendra Bisnik, Alhussein Abouzeid ECSE Department Rensselaer Polytechnic Institute (RPI)
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Enhancing Source-Location Privacy in Sensor Network Routing P.Kamat, Y. Zhang, W. Trappe, C. Ozturk In Proceedings of the 25th IEEE International Conference.

Enhancing Source-Location Privacy in Sensor Network Routing P.Kamat, Y. Zhang, W. Trappe, C. Ozturk In Proceedings of the 25th IEEE International Conference.
Source-Location Privacy Protection in Wireless Sensor Network Presented by: Yufei Xu Xin Wu Da Teng.

Source-Location Privacy Protection in Wireless Sensor Network Presented by: Yufei Xu Xin Wu Da Teng.
Location-Aware Security Services for Wireless Sensor Networks using Network Coding IEEE INFOCOM 2007 최임성.

Location-Aware Security Services for Wireless Sensor Networks using Network Coding IEEE INFOCOM 2007 최임성.
802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Achieving Better Privacy Protection in WSNs Using Trusted Computing Yanjiang YANG, Robert DENG, Jianying ZHOU, Ying QIU.

Achieving Better Privacy Protection in WSNs Using Trusted Computing Yanjiang YANG, Robert DENG, Jianying ZHOU, Ying QIU.
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.

SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.

1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.
1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.

Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.

1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.
1 802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World

Similar presentations

Ads by Google